Posted
by
samzenpus
on Thursday February 08, 2007 @07:59AM
from the protect-yourself-at-all-times dept.

amigoro writes "US Senators introduced a bill that better protects the privacy of citizens' personal information in the face of data security breaches across the country. Key features of the bipartisan legislation include increasing criminal penalties for identity theft involving electronic personal data and making it a crime to intentionally or willfully conceal a security breach involving personal data."

I think the more important aspect is the increased penalties for willfully concealing a security breach. Increasing criminal penalties is of varying value. One of the reasons criminals commit crimes is because they think they won't get caught, so whether they risk 2 years in jail or 4 isn't going to matter that much to them.

But increasing penalties for willfully covering up a data breach may have more effect. As we've seen, bigger breaches cannot be kept secret for long. There are too many ways for them to be ferreted out. Furthermore, the people who would be in a position to conceal a data breach are often people who are more afraid of jail than those who willfully commit crimes like identity theft.

Of course, what I'd really like to see is a death penalty for spammers.

A fundemental personal privacy/personal data concept that should be the basis of all laws governing how businesses and governments handle and are responsible for personal data should be liability for PD loss/leakage is directly proportional to the amount of PD per individual.

For example, your company leaks:

1) Addresses2) SSN3) Email addresses

That will give you three times the liability of a company that leaks:

1) Address

Make it financially worthwhile for companies to store the absolute minimum PD necessary to operate their business and to create the incentive to delete all unnecessary data at the earliest opportunity.

With storage so cheap and the liability for companies or governments essentially divorced from the actual damage done to personal privacy breaches there is absolutely no reason for any company to store every bit of PD about you on their(insecure) systems.

Seriously, Privacy is a right (according to SCOTUS) but currently the right is in limbo. The limits and effects are mercurial and need to be codified.

Also, I'm far more worried about breaches of privacy by the government than by ID thieves. Shore up my Right to Privacy properly and I'll feel a little better about things. Adding sentencing recommendations to ID theft cases is like hate crime statutes. I'm not/opposed/ to an extra small smackdown for certain crimes (maybe...I admit to some uncertainty here) but I'd rather have a RIGHT to tell the phone company to play a game of Hide and Go Fsck Yourself when they ask for my SSN, for instance. Bonus points if I can get the right to do the same to the US Government when they don't/actually/ need it.

HIPAA is a set of rules, with some teeth, that governs how patient medical information must be handled. The banks, credit agencies, etc would squeal like pigs if such legislation were proposed, but I think that's what we really need.